Project

General

Profile

Actions

Bug #1776

closed

Multiple Content-Length headers causes HTP_STREAM_ERROR

Added by David Wharton about 8 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Summary:

Multiple Content-Length headers causes libhtp to stop parsing and return HTP_STREAM_ERROR.

Example rule:

alert http any any -> any any (msg:"HTTP Host Header"; flow:established, to_server; content:"Host|3A|"; http_header; sid:4567890;)

Example traffic (full pcap attached):

POST /submit.php HTTP/1.1
User-Agent: Mozilla
Host: suricata-ids.org
Content-Length: 45
Cache-Control: no-cache
Content-Length: 45

foo=bar&a=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Debug output snippet:

htp_connp_REQ_HEADERS: ptr 0x2aec89ee9305 offset 0 len 20
00000000  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20  |Content-Length: |
00000010  34 35 0d 0a                                       |45..|

Header name: ptr 0x1c2c2d58 offset 0 len 14
00000000  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68        |Content-Length|

Header value: ptr 0x1c2c2d88 offset 0 len 2
00000000  34 35                                             |45|

htp_connp_REQ_HEADERS: ptr 0x2aec89ee9319 offset 0 len 2
00000000  0d 0a                                             |..|

htp_connp_req_data: returning HTP_STREAM_ERROR

Possible solutions:

If all Content-Lengh values are the same, continue as usual. If not, instead of aborting, something else could be done:

  1. Use the first one seen
  2. Use the last one seen
  3. Use the largest
  4. Use the smallest

My first thought is to go with use the smallest.

Notes:

This behavior tested/seen with Suricata 2.0.9 and 3.0.1, not with 1.3.4 though.

To do:

See how other multiple HTTP header names are handled, especially those that populate http_user_agent, http_host, and http_cookie buffers.


Files

multiple_content-length.pcap (558 Bytes) multiple_content-length.pcap David Wharton, 05/02/2016 08:39 AM
duplicate_header-custom.pcap (710 Bytes) duplicate_header-custom.pcap David Wharton, 08/17/2016 10:42 AM

Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #3186: Multiple Content-Length headers causes HTP_STREAM_ERROR (4.1.x)ClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF